From cb5c9ea1c555f43429b69b898894ddd5559a7e44 Mon Sep 17 00:00:00 2001
From: Josema Camacho <josema@prowler.com>
Date: Fri, 23 Jan 2026 13:28:38 +0100
Subject: [PATCH] fix(attack-paths): improve findings ingestion cypher query
 (#9874)

---
 api/CHANGELOG.md                                   |  1 +
 api/src/backend/tasks/jobs/attack_paths/prowler.py | 14 ++++++++++----
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/api/CHANGELOG.md b/api/CHANGELOG.md
index 25db5fdb94..b87211a69b 100644
--- a/api/CHANGELOG.md
+++ b/api/CHANGELOG.md
@@ -21,6 +21,7 @@ All notable changes to the **Prowler API** are documented in this file.
 - Lazy load Neo4j driver [(#9868)](https://github.com/prowler-cloud/prowler/pull/9868)
 - Use `Findings.all_objects` to avoid the `ActiveProviderPartitionedManager` [(#9869)](https://github.com/prowler-cloud/prowler/pull/9869)
 - Lazy load Neo4j driver for workers only [(#9872)](https://github.com/prowler-cloud/prowler/pull/9872)
+- Improve Cypher query for inserting Findings into Attack Paths scan graphs [(#9874)](https://github.com/prowler-cloud/prowler/pull/9874)
 
 ---
 
diff --git a/api/src/backend/tasks/jobs/attack_paths/prowler.py b/api/src/backend/tasks/jobs/attack_paths/prowler.py
index e91dee03e9..7a92b9d760 100644
--- a/api/src/backend/tasks/jobs/attack_paths/prowler.py
+++ b/api/src/backend/tasks/jobs/attack_paths/prowler.py
@@ -25,12 +25,18 @@ INDEX_STATEMENTS = [
 ]
 
 INSERT_STATEMENT_TEMPLATE = """
+    MATCH (account:__ROOT_NODE_LABEL__ {id: $provider_uid})
     UNWIND $findings_data AS finding_data
 
-    MATCH (account:__ROOT_NODE_LABEL__ {id: $provider_uid})
-    MATCH (account)-->(resource)
-        WHERE resource.__NODE_UID_FIELD__ = finding_data.resource_uid
-            OR resource.id = finding_data.resource_uid
+    OPTIONAL MATCH (account)-->(resource_by_uid)
+        WHERE resource_by_uid.__NODE_UID_FIELD__ = finding_data.resource_uid
+    WITH account, finding_data, resource_by_uid
+
+    OPTIONAL MATCH (account)-->(resource_by_id)
+        WHERE resource_by_uid IS NULL
+            AND resource_by_id.id = finding_data.resource_uid
+    WITH account, finding_data, COALESCE(resource_by_uid, resource_by_id) AS resource
+        WHERE resource IS NOT NULL
 
     MERGE (finding:ProwlerFinding {id: finding_data.id})
         ON CREATE SET